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1  Introduction 


To  specify  a  concurrent  program,  one  must  specify  what  its  atomic  actions 
are.  If  r  :=  z  +  1  is  executed  as  a  single  atomic  action,  then 

cobegin  z  :=  z  +  1  Q  z  :=  z  +  1  coend 

increments  z  by  2;  if  each  read  and  store  of  z  is  a  separate  atomic  action, 
then  it  increments  z  by  1  or  2. 

We  specify  that  a  statement  is  executed  as  a  single  atomic  action  by 
enclosing  it  in  angle  brackets.  For  example,  (z:=:z  +  l)isa  statement  that 
is  executed  as  one  atomic  action.  A  statement  z  ;=  z  + 1  in  which  each  read 
and  store  of  z  is  a  separate  atomic  action  can  be  written  as 

(t  ;=  z);  (t  :=  t+  1):  (ar  :=  t) 

where  t  is  a  new  variable  that  is  local  to  the  process  and  represents  an 
“accumulator”. 

Representing  a  program  using  fewer  atomic  actions  simplifies  reasoning 
about  it.  One  way  to  reduce  the  number  of  atomic  au:tions  in  a  program  is 
to  combine  two  or  more  atomic  actions  into  a  single  larger  one.  This  is  often 
done  by  pretending  that  a  statement  is  atomic  if  its  execution  contains  at 
most  one  access  (read  or  write)  of  a  shared  variable,  tacitly  applying  what 
we  will  call  the  single-action  rule.  For  the  example  above,  applying  this  rule 
would  allow 

(t;=z);(«:=t+l) 

to  be  combined  into  the  single  atomic  action  (t  :=  z  +  1  )• 

The  single-action  rule  cannot  always  be  applied.  For  example,  it  would 
imply  that  any  operation  can  be  considered  atomic  in  a  single-process  pro¬ 
gram,  because  no  variable  is  shared.  This  would  mean  that  a  property  of 
the  program 

(y:=i-J-l);<i:=y)  (1) 

could  be  established  by  proving  it  for  the  program 

(y;=z-l-l;i:=y)  (2) 

This  reasoning  is  wrong.  The  following  property  holds  for  the  second  pro¬ 
gram  bat  not  the  first. 

If  the  program  is  started  in  a  state  with  z  =  y,  then  z  =  y  holds 
in  all  states  reached  during  execution. 
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Execution  of  (1)  reaches  an  intermediate  state  in  which  x  ^  y — a  state  that 
does  not  occur  when  executing  (2). 

In  this  paper,  we  derive  a  general  rule  for  combining  atomic  actions. 
It  includes  a  correct  version  of  the  single-action  rule  as  a  corollary.  Our 
rule  applies  only  to  safety  properties,  which  include  partial  correctness,  mu¬ 
tual  exclusion,  and  deadlock-freedom,  but  not  to  liveness  properties,  such  as 
termination  and  starvation-freedom.  A  safety  property  asserts  that  “some¬ 
thing  bad  does  not  happen”,  so  if  it  is  violated,  then  it  is  violated  by  a  finite 
portion  of  a  (possibly  infinite)  execution  of  the  program. 

The  idea  of  combining  atomic  actions  is  probably  as  old  as  the  study 
of  concurrent  algorithms.  To  our  knowledge,  the  single-action  rule  was  first 
mentioned  in  print  by  Owicki  and  Gries  [10],  where  it  was  informally  claimed 
for  partial  correctness  properties.  In  [9],  Lipton  formally  proved  a  closely 
related  theorem  for  partial  correctness  and  deadlock-freedom.  However,  Lip- 
ton  was  primarily  concerned  with  semaphore  operations,  and  it  was  not 
widely  recognized  that  the  single-action  rule  is  a  corollary  of  his  results. 
Doeppner  [4]  extended  Lipton’s  partial-correctness  result  to  a  somewhat 
larger  class  of  safety  properties.  In  this  paper,  we  extend  Lipton’s  and 
Doeppner’s  results  to  a  more  general  class  of  safety  properties. 


2  Lipton’s  Theorem 

Before  describing  our  result,  we  give  an  informal  review  of  Lipton’s  work  [9]. 
The  hypotheses  of  his  main  theorem  involve  commutativity  relations  be¬ 
tween  atomic  actions.  We  begin  by  defining  these  relations,  departing  some¬ 
what  from  Lipton’s  original  notation. 

Henceforth,  we  refer  to  atomic  actions  simply  as  actions.  Formally,  an 
action  a  is  a  set  of  pairs  of  program  states,  where  (t,  u)  6  a  means  that 
executing  a  in  state  t  can  produce  state  «.  We  say  that  a  is  enabled  in  state 
t  iff  (if  and  only  if)  there  is  a  state  ti  such  that  (t,  u)  6  or.  We  write  t  u 
to  denote  that  (t,  u)  is  an  element  of  q.  For  example,  a  semaphore  operation 
P(sem)  is  represented  by  an  action  a  that  is  enabled  in  state  t  iff  control  is 
at  that  operation  and  the  value  of  setn  is  positive.  For  this  action,  t  u 
holds  iff  (i)  a  is  enabled  in  state  t  and  (ii)  state  u  is  the  same  as  t,  except 
that  control  is  after  the  semaphore  operation  and  the  value  of  sem  is  one 
less  than  its  value  in  t. 

The  program  state  includes  control  information,  in  addition  to  the  values 
of  program  variables.  Thus,  two  instances  of  a  statement  (z  :=  x  -|- 1 )  in 
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a  program  are  different  actions  because  they  have  different  effects  on  the 
control  components  of  the  state. 

If  a  and  ,/3  are  actions,  then  ajj  is  defined  to  be  the  action  such  that 
t  u  iff  there  exists  a  v  such  that  t  v  and  v  — ^  u.  An  action  p  right 
commutes  with  an  action  a  iff  f  u  implies  t  u,  for  every  pair  of  states 
t,  u.  In  other  words,  p  right  commutes  with  a  means  that  if  it  is  possible 
to  execute  first  p  then  q,  then  it  is  possible  to  produce  the  same  state  by 
executing  first  a  then  p.  Similarly,  A  left  commutes  with  a  iff  f  u  implies 
t  u  for  every  pair  of  states  t,  u.  Thus,  p  right  commutes  with  A  iff  A 
left  commutes  with  p.  Two  actions  commute  iff  each  one  left  commutes  and 
right  commutes  with  the  other. 

The  hypotheses  of  Lipton’s  main  theorem  involve  commutativity  between 
actions  in  different  processes.  An  action  p  in  a  process  is  called  a  right  mover 
iff  it  right  commutes  with  the  actions  of  every  other  process.  An  action  A  is 
a  left  mover  iff  it  left  commutes  with  the  actions  in  every  other  process. 

Lipton  observed  that,  if  semaphore  operations  are  represented  as  atomic 
actions,  then  P  actions  are  right  movers  and  V  actions  axe  left  movers.  To 
see  that  P  actions  are  right  movers,  let  p  be  a  P(sem)  action,  let  A  be  an 
action  in  another  process,  and  assume  that  executing  p  then  A  from  state  t 
can  produce  state  u.  There  are  three  cases  to  consider. 

•  A  does  not  access  the  semaphore  sem.  In  this  case,  p  can  obviously  be 
executed  after  A  to  produce  the  same  state  u. 

•  A  is  another  P{sem)  action.  Executing  the  two  P{sem)  actions  in 
either  order  must  produce  the  same  state. 

•  A  is  a  V'(5em)  action.  In  this  case,  executing  A  from  state  t  produces 
a  state  with  sem  >  0,  so  p  can  then  be  executed  to  produce  state  u. 
(Note  that  p  does  not  left  commute  with  A  because,  in  a  state  with 
sem  =  0,  it  is  possible  to  execute  a  V'(sem)  followed  by  a  P(sem),  but 
not  a  P(sem)  followed  by  a  V(s€m).) 

Similar  reasoning  shows  that  every  V  action  is  a  left  mover. 

To  combine  actions,  Lipton  introduced  the  notion  of  reducing  a  program 
by  a  statement.  Let  5  be  a  sequence  {Si);  {Sj); . . .;  (5^)  of  statements  in  a 
program  11.  Program  n  reduced  by  5,  denoted  11/ 5,  is  the  program  obtained 
from  n  by  replacing  5  with  the  single  atomic  statement  (5i; . . . ;  5^}.  Lipton 
proved  the  following  result. 
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Lipton’s  Theorem  Let  U  be  a  program  and  S  have  the  form  (5i);(52); 

. . . ;  {Sic),  where,  for  some  i: 

1.  Si,  . . . ,  Si_i  are  right  movers. 

2.  Sj+i,  . . Sfc  are  left  movers. 

3.  From  any  program  state  in  which  erecation  of  S  has  begun  but  not 
terminated,  it  ia  possible,  by  executing  only  actions  in  S,  to  reach  a 
state  in  which  S  has  terminated. 

Then,  programs  11  and  II/S  satisfy  the  same  partial  correctness  and  deadlock- 
freedom  properties. 

The  single-action  rule  asserts  that,  if  S  contains  at  most  one  access  to  a 
shared  variable,  then  we  can  prove  a  property  of  program  n  by  proving  it  for 
n/S.  If  an  action  a  does  not  access  any  variable  that  is  accessed  by  any  other 
process,  then  a  is  both  a  left  and  a  right  mover.  Letting  (Si)  be  the  single 
statement  in  5  that  accesses  a  shared  variable  (or  any  statement  if  5  does 
not  access  a  shared  variable),  Lipton’s  Theorem  implies  the  single-action 
rule  for  reasoning  about  partial  correctness  and  deadlock  freedom — except 
that  the  single- action  rule  does  not  require  hypothesis  3.  We  will  show 
that  hypothesis  3  is  not  needed  in  Lipton’s  Theorem  for  partial  correctness 
properties,  so  the  single-action  rule  is  valid  for  partial  correctness. 

Partial  correctness  relates  initial  and  final  states,  but  makes  no  assertion 
about  states  in  which  control  is  inside  5.  Doeppner  extended  Lipton’s  result 
to  a  more  general  class  of  safety  properties  that  also  assert  nothing  when 
control  is  within  5.  A  precise  statement  of  Doeppner’s  result  is  given  below. 

To  use  Lipton’s  Theorem  (or  Doeppner’s  extension),  one  usually  per- 
fomos  many  reductions  to  decrease  the  number  of  separate  actions  in  a  pro¬ 
gram.  We  now  show  that  these  reductions  can  all  be  done  at  once.  Let 
5  and  S*  be  two  disjoint  sequences  of  statements.  We  show  that  if  5  and 
5'  both  satisfy  the  hypotheses  of  Lipton’s  Theorem,  then  (II/5)/S',  which 
equals  (II/5')/5,  and  n  satisfy  the  same  partial  correctness  and  deadlock- 
freedom  properties.  Since  5  satisfies  the  hypotheses,  11/ 5  and  n  satisfy  the 
same  properties.  An  action  that  left  or  right  commutes  with  every  action 
of  5  in  program  11  must  left  or  right  commute  with  (5)  in  program  II/5. 
Therefore,  if  S'  satisfies  the  hypotheses  of  Lipton’s  Theorem  in  program  n, 
then  it  also  satisfies  these  hypotheses  in  11/5.  Hence,  a  second  application 
of  Lipton’s  Theorem  shows  that  (n/5)/5'  and  11  satisfy  the  same  partial 
correctness  and  deadlock-freedom  properties.  Generalizing  to  an  arbitrary 
number  of  reductions  is  obvious. 
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3  A  General  Reduction  Theorem 


We  begin  by  defining  the  concepts  needed  to  formalize  the  notion  of  reduc¬ 
tion.  Then,  in  Section  3.2,  we  state  a  generalization  of  Lipton’s  Theorem; 
its  proof  is  in  the  appendix.  We  derive  Doeppner’s  result  as  a  corollary,  and 
use  it  to  prove  Lipton’s  Theorem.  The  section  closes  with  an  exaimple  of  the 
use  of  our  theorem. 

3.1  Definitions 

3.1.1  Programs 

Thus  far,  we  have  viewed  a  program  11  as  a  set  of  states  and  a  set  of  actions. 
(Recall  that  an  [atomic]  action  is  a  set  of  pairs  of  states.)  However,  what 
matters  for  safety  properties  is  not  the  set  of  actions,  but  the  program’s 
next-state  relation,  which  is  the  union  of  all  the  program’s  actions.  For 
example,  replacing  the  single  program  action 

{x:=  jxl-hl) 


by  the  pair  of  actions 

if(x>0-*i;=x4-l)0(x<0-»x:=-x  +  l)fl 
yields  an  equivalent  program. 

We  therefore  formally  define  a  program  11  to  consist  of  a  set  of  states 
and  a  single  action  l),  where  it  is  the  next-state  relation.  (The  next-state 
relation,  being  the  union  of  actions,  is  itself  an  action.)  Observe  that,  al¬ 
though  the  specification  of  a  program  usually  describes  its  possible  starting 
states,  we  do  not  include  any  special  starting  or  terminating  states  in  our 
formal  definition — they  are  irrelevant  to  our  results. 

3.1.2  Histories 

A  history  of  11  is  a  finite,  nonempty  sequence  •  •  -  >  of  states  such  that 

/,_i  -2^  for  0  <  i  <  n.  This  history  represents  a  partial  execution 
(possibly  complete)  of  H,  starting  in  state  to  reaching  state  .  Only  such 
finite  partial  executions  need  be  considered  when  proving  safety  properties, 
even  of  nonterminating  programs,  since  a  safety  property  is,  by  definition. 
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one  that  is  satisfied  by  an  infinite  execution  iff  it  is  satisfied  by  every  finite 
prefix  [l]. 

3.1.3  Commutativity 

Recall  that  an  action  p  right  commutes  with  an  action  \  (and  A  left  com¬ 
mutes  with  p)  iff  t  u  implies  t  u  for  all  states  t  and  u.  It  follows 
ifrom  this  definition  that,  if  p  equals  the  union  of  actions  p,  and  A  equals  the 
union  of  actions  Aj,  then  p  right  commutes  with  A  if  every  pi  right  commutes 
with  every  A^. 

If  there  are  no  states  s,  t,  and  u  such  that  s  t  u,  so  q  cannot  be 
executed  immediately  after  p,  then  p  right  commutes  with  a.  Hence,  if  p  is 
an  action  in  a  process  of  a  concurrent  program,  then  p  right  commutes  with 
every  action  in  that  process,  except  the  action  immediately  following  it.  Hy¬ 
pothesis  1  of  Lipton’s  theorem  is  therefore  equivalent  to  the  hypothesis  that 
5i,  . . . ,  5,_i  right  commute  with  every  program  action  not  in  S.  Similarly, 
an  action  left  commutes  with  every  action  in  the  same  process  except  the 
action  immediately  preceding  it. 

For  any  action  o,  we  define  to  be  the  reflexive,  transitive  closure  of 
-2^.  Thus,  t  u  iff  t  s:  a  or  there  exists  a  state  v  such  that  t  v  u. 
In  other  words,  t  u  iff  it  is  possible  to  go  ftom  state  t  to  state  u  by 
“executing”  action  a  zero  or  more  times.  We  adopt  the  usual  convention  of 
writing  t  =>  V  u  to  denote  that  t  =>  v  and  v  =>  u  hold. 

3.1.4  Predicates  and  Safety  Properties 

A  predicate  is  a  Boolean- valued  function  on  the  set  of  states.  The  value  Q{t) 
of  predicate  Q  on  state  t  is  written  t\=Q.  An  action  a  is  defined  to  leave 
predicate  Q  invariant  iS  t  js  Q  implies  u  ^  Q  whenever  t  u.  It  follows 
from  this  definition  that,  if  a  equals  the  union  of  actions  o,,  then  a  leaves 
Q  invariant  iff  every  does.  Note  that  if  t  Q  implies  that  a  cannot  be 
executed  in  state  t,  so  there  is  no  state  «  such  that  t  -2-+  u,  then  a  trivially 
leaves  Q  invariant.  Thus,  if  d  is  the  predicate  asserting  that  a  is  enabled, 
then  a  leaves  -•If  invariant. 

If  Init  and  Q  are  predicates,  then  a  program  n  satisfies  the  temporal 
logic  formula  Init  =>  OQ  iff  the  following  holds:  for  any  history  to,...,t„  of 
n,  if  <0  N  ^nit  then  h  Q,  for  0  <  t  <  n.  This  property  is  equivalent  to 

For  all  states  t  and  u:  if  t  u  and  1 1=  Init,  then  «!=(?• 
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Properties  of  the  form  Init  =>  OQ  are  proved  with  the  Owicki-Gries 
method  [10)  and  similar  assertional  methods  [2.6].  Moreover,  by  adding 
auxiliary  variables  to  the  program,  any  safety  property  can  be  expressed  in 
this  form. 


3.1.5  Operations 

The  notion  of  a  statement  is  meaningful  only  in  the  context  of  a  program¬ 
ming  language.  To  make  our  results  independent  of  any  language,  we  will 
define  reduction  with  respect  to  operations  rather  than  statements.  The  in¬ 
tuitive  view  is  that  an  operation  S  consists  of  a  collection  of  related  actions 
from  a  single  process.  Actions  are  “related”  iff,  from  the  time  the  first  action 
of  S  is  executed  until  the  enti-e  operation  completes,  the  process  can  execute 
actions  only  from  5.  Executing  the  first  action  of  S  moves  control  inside  5, 
and  executing  the  last  action  moves  control  outside  S.  Only  actions  of  S 
can  move  control  inside  or  outside  of  S. 

Formally,  an  operation  S  of  program  11  consists  of  a  subset  S  of  the 
next-state  relation  n  together  with  a  predicate  £{S)  (where  6  stands  for 
external),  such  that  11  -  5  leaves  both  C{S)  and  -'^(S)  invariant.  Being 
subsets  of  n,  an  action,  5  and  ft  -  5  are  themselves  actions.  This  formal 
definition  corresponds  to  the  intuitive  view  above,  where  S  is  the  union  of 
the  actions  constituting  S,  and  €{S)  is  the  predicate  asserting  that  control 
is  outside  5.' 

We  now  define  what  it  means  for  an  operation  to  be  atomic.  We  could 
define  A  to  be  atomic  iS  S(A)  holds  in  all  states.  However,  we  want  II  and 
n/5  to  satisfy  the  same  properties,  so  we  want  them  to  have  the  same  set 
of  states;  this  means  that  11/5  may  contain  states  in  which  5((5))  is  false 
even  though  it  has  (5)  as  an  atomic  action.  Therefore,  we  adopt  the  more 
general  definition  that  an  operation  A  of  program  11  is  atomic  iff  5(^4)  is  left 
invariant  by  ft.  Consequently,  if  A  is  atomic,  then  control  will  remain  outside 
A  throughout  any  history  that  starts  in  a  state  with  control  outside  A. 

Observe  that  the  concept  of  a  process  is  not  used  in  our  formal  defini¬ 
tion  of  an  operation,  and  nothing  prevents  actions  of  different  processes  from 
being  part  of  a  single  operation.  For  example,  a  matching  pair  of  communi¬ 
cation  statements  in  a  CSP  program  can  be  represented  by  a  single  atomic 
operation  [8]. 


‘In  the  notation  of  [5],  £{S)  =  <it(5)  V  -'•n(S). 
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5.1.6  Sequential  Composition 

Our  reduction  theorem  involves  the  sequential  composition  T;  U  of  opera¬ 
tions  T  and  [/.  Composition  is  usually  defined  for  statements  in  a  program  - 
ming  language.  A  o'ecise  definition  for  sequential  composition  of  operations 
is  complicated.  However,  the  composition  T;  U  has  the  expected  meaning  if 
(i)  control  cannot  be  inside  both  T  and  U,  and  (ii)  any  execution  oiT\U  con¬ 
sists  of  a  (possibly  null)  sequence  of  executions  of  T  followed  by  a  (possibly 
null)  sequence  of  executions  of  U.  For  example,  in  the  statement 

if  b  then  T;  Ui 
else  U-i 
fi 

the  then  and  else  clauses  together  define  a  single  operation  T;U,  where  the 
operation  U  is  defined  hy  U  =  UiU  U2  and  E(U)  =  £{Ui)  A  ^(l/j).  By  our 
definition  of  atomicity,  if  each  Ui  is  atomic,  then  U  is  atomic. 

For  a  general  definition  of  the  sequential  composition  of  operations,  we 
must  use  £{T),  £{U),  T,  and  U  to  characterize  when  operation  T;  U  is 
defined  and,  when  it  is  defined,  what  and  £{T;  U)  are.  Such  a  definition 
is  complicated;  the  only  simple  part  is  that  when  T;Uis  defined,  T;  U  equals 
f  U  C?.  Therefore,  instead  of  ^ving  a  formal  definition,  we  just  list  in  the 
appendix  properties  of  sequential  composition  that  we  require. 

If  T  is  null,  meaning  that  f  is  the  empty  set  and  £{T)  is  identically  true, 
then  T;  U  equals  U.  Similarly,  if  U  is  null,  then  T;  U  equals  T. 

5.1.7  Possible  Termination 

Hypothesis  3  of  Lipton’s  Theorem  asserts  that  it  is  possible  for  S  to  ter¬ 
minate  from  any  state  in  which  control  is  inside  5.  Control  being  inside  5 
means  that  ->£(S)  holds.  Termination  of  5  means  reaching  a  state  in  which 
f(S)  holds.  Thus,  Lipton’s  hypothesis  3  asserts  that,  for  every  state  t,  if 

t  ^  ~'£(S)  then  there  exists  a  state  u  such  that  t  u  and  u  |=  £(S). 

3.2  The  Reduction  Theorem  and  Corollaries 
3.3.1  Reduction 

The  purpose  of  our  reduction  theorem  is  to  justify  pretending  that  an  op¬ 
eration  is  atomic.  To  define  what  this  pretense  means,  we  first  define  the 
operation  (S)  for  an  arbitrary  operation  S  in  a  program  II.  This  requires 
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defining  action  (S)  and  predicate  S((S)).  VVe  define  S((S))  to  equal  S(S). 

Our  definition  of  (5)  should  assert  that  t  u  iff  a  complete  execution  of 
5  can  take  state  t  to  state  u.  A  “complete  execution”  is  one  that  starts 
with  control  outside  S  and  ends  as  soon  as  control  leaves  S.  We  define  (S) 
to  consist  of  all  pairs  (t,  u)  such  that  t  }=  S(S),  u  [=  S(S),  and  there  exist 
states  to,  •  •  • ,  tn,  with  0  <  n,  such  that 

t  —  to  — »  ti  — ►  . . .  — ►  t„_i  — ►  t„  =  u 


and  t,  -'^'(5)  for  0  <  i  <  n. 

For  any  action  a,  define  t  =>  u  to  mean  that  there  exist  states  to,  . . . , 
t„,  with  0  <  n,  such  that 


t  =  to  ^  ti  ^  t„_,  ^  t„  =  u 

and  t,  1=  -<£(S)  for  0  <  i  <  n.  Then,  t  ==>  u  implies  t  s.  If  u  ^  -,5(S), 

then  t  u  and  u  v  imply  t  v. 
s  s  s 

To  see  the  relation  between  the  two  actions  5  and  (5),  suppose  t  [=  i^(5) 
and  u  1=  S{S).  The  definition  of  (5)  implies  that  t  u  iff  t  uort  -  u. 

This  in  turn  implies  that  t  u  iff  t  ^  u. 

We  can  now  formally  define  program  11/5.  We  want  II/5  to  be  the 
program  obtained  by  replacing  5  by  an  atomic  action,  so  £1/5  is  defined 
to  have  the  same  set  of  states  as  II  and  to  have  its  next-state  relation  11/ 5 
equal  to  (ft  -  5)  U  (S).  To  show  that  (5)  is  an  atomic  operation  of  11/5, 
we  must  show  that  II/5  leaves  5((5))  invariant.  By  definition  of  what  it 
means  for  5  to  be  an  operation  of  11,  action  fi  -  5  leaves  5(5)  invariant.  By 
definition  of  (5),  action  (5)  leaves  5(5)  invariant.  Therefore,  (ft  -  5)u  (5), 
which  equals  II/5,  leaves  invariant  5(5),  which  equals  5((5)). 

The  useful  part  of  the  reduction  theorem  states  that,  for  certain  oper¬ 
ations  5,  if  a  safety  property  is  satisfied  by  11/5  then  it  is  satisfied  by  11. 
The  converse,  that  a  safety  property  is  satisfied  by  n/5  if  it  is  satisfied  by 
n,  is  true  for  any  5. 

Lemma  1  If  Init  =>  OQ  is  satisfied  by  program  11  then  it  is  satisfied  by 
program  U./S. 
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Proof  of  Lemma 

1.  For  any  states  t  and  u,  if  t  u  and  t  |=  Init,  then  u  |=  Q. 

Proof:  By  the  hypothesis  that  II  satisfies  Init  =>  OQ. 

2.  For  any  states  t  and  a,  if  t  w  then  t  =>  u. 

Proof:  By  definition  of  reduction,  since  11/5  -  (5)  C  H  and  v  w 
implies  v  =>  w. 

3.  For  any  states  t  and  u,  if  t  u  and  t  f=  Init  then  u  |=  <?. 

Proof:  By  1  and  2. 

4.  Program  II/S  satisfies  Init  =>  □(?. 

Proof:  By  3  and  the  definition  of  what  it  means  for  11/5  to  satisfy 

Init  ^  OQ. 

End  Proof  of  Lemma 

3.2.2  The  Reduction  Theorem  and  a  Corollary 

We  now  state  our  redaction  theorem,  which  is  proved  in  the  appendix,  and 
derive  a  corollary. 

Reduction  Theorem  Let  II  a  program,  Init  and  Q  be  predicates,  and 
S  be  an  operation  of  II  having  the  form  R;  (A);  L,  where 

0.  Init  implies  5(5). 

1.  (a)  Action  R  right  commutes  with  action  3-5. 

(b)  For  all  states  t  and  u:  iff  u  and  1  ^  (Q  A  5(5))  then  u  |= 
(Q  V  5(5)). 

2.  (a)  Action  L  left  commutes  with  action  3-5. 

A 

(b)  For  all  states  t  and  u:  if  t  ^  u  and  t  |=  (->(?  A  ->5(5))  then 
u  {->Q  V  ->5(5)). 

3.  For  all  states  t:  ift^  (->(?  A  £(R;  (A))  A  ->5(5))  then  there  exists  a 

A 

state  u  such  that  t  =>  u  and  u  ^  5(5).^ 

Then,  Init  =>  OQ  is  satisfied  by  U  iff  it  is  satisfied  by  U/S. 

^£(R;  (A))  A  -<£(S)  ma«erU  tkftt  control  is  either  inside  L  or  nt  iu  entry  point. 
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Observe  that  hypothesis  1(b)  holds  if  R  leaves  Q  invariant,  and  hypothe¬ 
sis  2(b)  bolds  if  L  leaves  ->Q  invariant.  Thus,  both  of  these  hypotheses  hold 
if  R  and  L  do  not  change  any  part  of  the  state  on  which  Q  depends. 

The  conclusion  of  our  reduction  theorem  asserts  that  if  Q  holds  through¬ 
out  the  execution  of  11/5  then  it  holds  throughout  the  execution  of  11. 
Weaker  hypotheses  lead  to  the  weaker  conclusion  that,  in  the  execution 
of  n,  predicate  Q  holds  only  when  control  is  external  to  S,  giving  a  result 
obtained  by  Doeppner  [4]. 

Corollary  (Doeppner)  Let  11  6e  a  program  and  S  have  the  form  R;  {A);L, 
where 

0.  Init  implies  £(S). 

1.  Action  R  right  commutes  with  action  ft  —  S. 

2.  Action  L  left  commutes  with  action  ft  -  5. 

Then,  Init  ^  v  -15(5))  is  satisfied  by  11  iff  Init  ^  OQ  is  satisfied  by 

n/s. 

Proof  of  Corollary 

1.  Init  =>  □(^  V  ->5(5))  is  satisfied  by  II  iff  it  is  satisfied  by  n/5. 

Proof  :  Apply  the  Reduction  Theorem  with  Q'V->£{S)  substituted  for  Q . 
Hypotheses  0,  1(a),  and  2(a)  of  the  theorem  follow  from  hypotheses  0-2 
of  the  corollary.  Hypothesis  1(b)  of  the  theorem  holds  trivially  because 
{Q  V  -15(5))  V  £{S)  is  identically  true.  H3rpothesis  2(b)  of  the  theorem 
holds  vacuously  because  v  ->^(S))  A  ->5(5)  is  identically  false.  Hy¬ 
pothesis  3  also  holds  vacuously  because  ->(<?  V ->5(5)) A5(i2;  {A))^-'£{S) 
is  identically  false. 

2.  n/5  satisfies  Init  ^  05(5). 

Proof:  By  hypothesis  0,  since  n/S  leaves  £{S),  which  equals  5((S)), 
invariant. 

3.  n/5  satisfies  Init  =>  □(<?  V  -i5(5))  iff  it  satisfies  Init  =>  OQ. 

Proof:  Follows  from  2  and  the  definition  of  what  it  means  for  E/S  to 
satisfy  a  formula  of  the  form  Init  =>  OP. 

End  Proof  of  Corollary 

The  corollary  provides  a  correct  statement  of  the  single-action  rule.  The 
incorrect  version  of  the  rule  asserts  that  if  the  reduced  program  satisfies  a 
property  then  the  original  program  does.  The  correct  version  asserts  that 
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if  the  reduced  program  satisfies  a  property  Init  =>  OQ,  then  the  original 
program  satisfies  the  related  property  Init  ^  □((?  V  ^£{S)).  Only  if  ^£{S) 
implies  Q  does  the  original  program  satisfy  the  same  property  as  the  reduced 
program. 


3.2.3  Deriving  Lipton’s  Theorem 

We  now  derive  Lipton’s  Theorem  from  the  corollary.  Lipton’s  Theorem 
concerns  partial  correctness  and  deadlock  freedom  properties.  We  consider 
each  of  them  separately. 

The  partial  correctness  property  {Pre}Il{Po3t}  can  be  expressed  in  the 
form  Init  =>  OQ  by  letting  Init  be  the  predicate  asserting  that  control  is  at 
the  beginning  of  11  and  Pre  holds,  and  letting  Q  be  Term  =>  Post,  where 
Term  is  the  predicate  asserting  that  n  has  terminated — that  is,  Term  asserts 
that  control  is  at  the  end  of  the  program.  Since  control  at  the  end  of  11 
implies  that  £{S)  holds,  -'£(5)  implies  Q,  so  Q  V  ->£{S)  is  equivalent  to  Q. 
Hence,  the  corollary  implies  that,  under  the  hypotheses  of  Lipton’s  Theorem, 
n  satisfies  {Pre}Tl{Post}  iff  II/S  does.  This  proves  Lipton’s  Theorem  for 
partial  correctness.  Moreover,  we  have  strengthened  this  part  of  Lipton’s 
Theorem  by  eliminating  hypothesis  3.  In  so  doing,  we  have  shown  that  the 
single-action  rule  is  valid  for  partial  correctness  properties. 

We  next  show  that  the  deadlock-freedom  part  of  Lipton’s  Theorem  fol¬ 
lows  ^from  the  corollary.  A  program  is  deadlocked  iff  it  has  not  terminated 
and  no  program  action  is  enabled.  Program  11  has  terminated  iff  program 
n/5  has.  Thus,  we  need  show  only  that  an  action  of  n  is  always  enabled  iff 
an  action  of  n/5  is  always  enabled.  Let  Init  be  the  predicate  asserting  that 
control  is  at  the  beginning  of  11  amd  let  DFn  be  the  predicate  asserting  that 
some  action  of  n  is  enabled.  Similarly,  define  DFn/s  to  assert  that  some 
action  of  11/5  is  enabled.  The  conclusion  of  Lipton’s  Theorem  states,  in  our 
notation,  that  11  satisfies  Init  =>  □PP’n  iff  n/5  satisfies  Init  =>  nUFn/s- 
We  use  the  corollary  to  show  that  this  conclusion  is  implied  by  the  hypothe¬ 
ses  of  Lipton’s  Theorem. 

1.  n  satisfies  Init  =»  Cl(X?Fn/5  “'^(^))  iff  n/5  satisfies  Init  =>  ODFn/s- 
Proof:  Apply  the  Corollary  with  DFn/s  substituted  for  Q. 

2.  DFji/s  V  implies  DFn. 

2.1.  DFji/s  implies  DFn- 

Proof:  By  definition  of  n/5,  if  an  action  of  n/5  is  enabled  then  an 
action  of  H  must  be  enabled. 
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2.2.  -i£(S)  implies  D/’n- 

Proof:  By  hypothesis  3  of  Lipton’s  Theorem. 

3.  DFn  implies  DFn/s 

Proof:  It  suffices  to  prove  that  DFn  and  f(5)  imply  DF^/s-  For  this, 
it  suffices  to  prove  that  for  any  state  t,  if  there  exists  a  state  u  such  that 

t  f  (5)  and  f  u,  then  there  exists  a  state  v  such  that  t  ^  v. 

Since  t  u,  either  t  5^  u  or  else  t  u.  If  t  u,  then  we  can 

let  V  equal  u.  Assume  that  t  u.  If  u  |=  -^S(S),  then  hypothesis  3  of 
Lipton’s  Theorem  implies  that  there  exists  a  state  v  such  that  v  5(5) 

and  u  =>  u.  If  u  S(S),  then  let  v  equal  u.  In  either  case,  t  =>  v, 
t  ^  f(5),  and  t;  ^  £(S),  so  t  v. 

4.  n  satisfies  Init  =>  ODFn  iff  II/S  satisfies  /nit  =>  ODFjj/s- 
Proof:  By  1,  since  2  and  3  imply  DFn  =  DFnjs  ^ 

The  single-action  rule  is  not  valid  for  deadlock  freedom.  For  example, 
let  n  be  the  single-process  program 

( *  :=  0  or  1 );  ( await  i  =  0 ) 

where  the  assignment  nondeterministicaJly  sets  z  to  0  or  1,  and  the  await 
delays  forever  if  i  =  1.  Since  every  variable  is  local,  a  naive  single- action 
rule  would  assert  that  this  program  is  equivalent  to 

( I  :=  0  or  1;  await  x  =  0 ) 

which,  by  our  definition  of  (5),  is  equivalent  to 

<x  :=  0) 


The  reduced  program  is  deadlock  free,  but  the  original  program  is  not — it 
deadlocks  if  the  assignment  statement  sets  z  to  1. 

One  might  be  able  to  find  an  alternate  definition  of  (5)  that  makes  the 
single-action  rule  valid  for  deadlock  freedom.  However,  we  believe  that  such 
a  definition  would  be  unnatural,  and  unlikely  to  be  of  any  practical  use. 

3.3  An  Example 

Program  lit  of  Figure  1  is  a  two-process  concurrent  program,  where  head 
and  tail  are  the  usual  operators  on  sequences,  and  o  denotes  concatenation. 
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Program  IIi 
variables 

inp  :  infinite  sequence  of  wo/tie; 

out  :  sequence  of  value', 

buf  :  array  [0 ...  iV  -  1)  of  value; 

X,  y  :  value; 
fp,  fc  :  Natural; 
cobegin 
Producer:  loop 

Dp'.  {x,inp  :=  h€ad{inp),taU{inp)); 
Apt  (await  (^-/c)  <  AT). 

Bpi  ( buf[Jp  mod  N]  :=  x  ); 

Cpi  {Jp  :=^  +  i) 

end  loop 

a 

Consumer;  loop 

A^:  (await  (^-/c)  >  0); 

Bci  (  y  :=  bufl/c  mod  iV] ); 

Dc’.  {out  ;=  out  o y ) 

end  loop 

coend 

Figure  1;  A  simple  producer /consumer  program. 
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Using  a  bounded  buffer,  a  producer  process  communicates  an  infinite  se¬ 
quence  of  values  to  a  consumer  process.  The  safety  property  of  interest  is 
that  the  sequence  of  values  out  received  by  the  consumer  is  a  prefix  of  the 
initial  value  of  the  sequence  inp.  This  property  is  formulated  as  Init  ^  DQ, 
where 


•  Init  asserts  that  buf  is  empty,  inp  has  some  initial  value  fp  = 

fc  =  0,  and  at{Dp)  and  at(.4c)  hold,  where  at(^)  is  a  predicate  that  is 
true  iff  control  is  at  action 

•  Q  asserts  that  out  is  an  initial  prefix  of  inpi^^. 

To  prove  that  IIi  satisfies  this  property,  the  Redaction  Theorem  is  ap¬ 
plied  twice.  First,  Program  Hi  is  reduced  by  Ap;Bp;Cp,  resulting  in  a 
program  where  the  producer  has  only  two  actions — Dp  and  {Ap;Bp]Cp}. 
Then,  that  program  is  reduced  by  A^;  Be’,  Cg,  resulting  in  a  final  program 
having  just  four  atomic  actions.  As  we  observed  at  the  end  of  Section  2, 
these  two  reductions  can  be  done  at  once.  This  is  because  a  consumer  ac¬ 
tion  left  (right)  commutes  with  each  of  the  actions  Ap,  Bp,  and  Cp  iff  it  left 
(right)  commutes  with  the  single  action  {Ap’,Bp’,Cp). 

For  the  first  reduction,  the  theorem  is  applied  with  Ap  for  R,  Bp  for  {A), 
and  Cp  for  L.  We  now  show  that  the  four  hypotheses  of  the  theorem  are 
satisfied. 

Hypothesis  0.  Init  implies  €{Ap’, Bp;Cp). 

Proof:  This  follows  from  the  definition  of  Init  and  £,  because  Init  im¬ 
plies  at{Dp),  and  at{Dp)  implies  that  control  is  external  to  Ap’,  Bp’,  Cp. 

Hypothesis  1.  (a)  Action  R  right  commutes  with  action  fl  -  5,  where  5  is 
Ap’,  Bp]  Cp. 

(b)  For  all  states  t  and  u,  if  t  ^  u  and  t  ^  (Q  A  £{S))  then  u  f= 
iQw  £{$)). 

1.  Ap  right  commutes  with  Dp. 

Proof:  Dp  cannot  be  executed  immediately  after  Ap. 

2.  ^  right  commutes  with  Ac,  Be,  and  Dg. 

Proof:  Actions  Ap  and  Ag  commute  because  neither  modifies  any 
variable  accessed  by  the  other,  and  Ap  commutes  with  Bg  and  with 
D^e  for  the  same  reason. 
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3.  Ap  right  commutes  with  Cc- 

3.1.  If  s  t  and  s  t',  then  t  =  f'. 

Proof'.  From  the  definitions  of  Ac  and  Q. 

3.2.  If  it  is  possible  to  execute  first  Xp  then  Q  on  a  state  s,  then  it 
is  also  possible  to  execute  first  Cc  then  on  s. 

Proof:  It  is  possible  to  execute  Ap  then  on  .» iff 

s  (=  at{Ap)  A  at{Ce)  A  (Jj)  -  /c  <  jV)  (3) 

It  is  possible  to  execute  Cc  then  Ap  on  s  iff 

a|=at(Ap)Aat(Cc)A(Ji)-{/c  +  l)<  iV)  (4) 

Obviously,  (3)  implies  (4). 

3.3.  If  s  t  then  s  ^  t 
Proof:  By  3.1  and  3.2. 

4.  Hypothesis  1(a)  holds. 

Proof:  By  1,  2,  and  3,  since  fi  —  5  equals  the  union  of  Dp,  Ac,  B^, 
Cc,  and  3c’ 

5.  Hypothesis  1(b)  holds. 

Proof:  Action  Ap  does  not  modify  any  part  of  the  state  on  which 
Q  depends,  so  it  leaves  Q  invariant. 

Hypothesis  2.  (a)  Action  Cp  left  commutes  with  action  3-5. 

(b)  For  all  states  t  and  u,  if  t  u  and  t  |=  A  -<€{S))  then 
u  \=  (-iQ  V  ->€{S)). 

Proof:  The  proof  of  this  is  similar  to  the  proof  of  hypothesis  1.  The 
key  step  in  the  proof  that  Cp  left  commutes  with  Ac  is  the  observation 
that  (i)  it  is  possible  to  execute  Ac  then  Cp  on  a  state  s  iff  s  |= 
(ot(Ae)  A  ot(Cp)  ^ifp  —  fc  >  0)),  and  (ii)  it  is  possible  to  execute  Cp 
then  i4«  on  s  iff  5  1=  (,at{Ac)  A  at{Cp)  ^  {fp-fc>  0)).  Hypothesis  2(b) 
holds  because  action  Cp  does  not  change  any  part  of  the  state  on  which 
Q  depends,  so  it  leaves  ~<Q  invariant. 

Hypothesis  3.  For  all  states  t:  if  t)=  {^Q  A  at[Cp))  then  Cp  can  terminate 
from  t. 

Proof:  Cp  can  terminate  from  any  state  t  for  which  1 1=  (at(Cp)). 
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The  justification  of  the  second  reduction  is  similar  to  that  of  the  first  with 
p  and  c  subscripts  interchanged.  We  must  prove  that  Ac  left  commutes  and 
Cc  right  commutes  with  the  four  actions  Ap,  Bp,  Cp,  and  Dp.  (Recall  that 

this  implies  that  they  left  and  right  commute  with  {Ap\  Bp\Cp).)  Proving 
the  symmetric  versions  of  statements  0-3  in  the  proof  of  the  first  reduction 
allows  our  theorem  to  be  applied  to  the  second  reduction.  We  omit  the 
proofs.  (Note  that  the  proofs  of  the  commutativity  relations  between  Ac  and 
^p,  and  between  Cc  and  Ap  appeared  in  the  proof  of  the  first  reduction.) 

4  Constraints 

We  can  replace  the  unbounded  integer  variables  fp  and  /c  of  Program  IIi  by 
integers  modulo  2N ,  to  obtain  producer/ consumer  program  112  of  Figure  2. 
Program  112  can  be  viewed  as  an  implementation  of  Hi  in  which  the  “left¬ 
most  bits”  of  fp  and  fc  have  been  eliminated.  We  would,  therefore,  expect 
to  be  able  to  reduce  112  to  a  program  with  only  four  atomic  actions,  just  as 
we  reduced  Hi.  Unfortunately,  we  cannot.  The  action  pairs  Ap,  Cc  and  Ac, 

of  112  do  satisfy  the  required  commutativity  relations.  For  example, 
if  t  is  a  state  in  which  fp  =  fc,  then  there  are  states  ti  and  v  such  that 

t  u  V,  but  no  state  u'  such  that  t  — ^  u'  v  because  —1  mod  2N 
equals  2N  -  1,  which  is  greater  than  or  equal  to  N.  (Executing  Cc  when 
fps^  fc  disables  A^.)  Thus,  Ap  does  not  right  commute  with  Q. 

Program  112  admits  “irreducible”  histories — ones  that  are  not  equiva¬ 
lent  to  any  of  the  reduced  program’s  histories.  However,  these  irreducible 
histories  are  irrelevant  because  they  cannot  arise  when  112  is  started  in  a 
“proper”  initial  state.  The  property  we  want  to  prove  is  Init  =>  DC?,  which 
asserts  that  Q  is  always  true  for  any  execution  started  in  a  state  satisfying 
the  predicate  Init,  and  it  turns  out  that  there  is  no  irreducible  history  be¬ 
ginning  with  a  state  that  satisfies  IniA.  For  example,  histories  containing  a 
state  in  which  fp  =  fc  and  both  A^  and  Cc  are  enabled,  so  Ap  does  not  right 
commute  with  Q,  are  irrelevant  because  such  a  state  cannot  be  reached 
when  Program  1X2  is  started  with  Init  true. 

We  will  dispense  with  these  irrelevant  histories  by  modifying  112  elimi¬ 
nate  them.^  We  constrain  the  program  by  a  predicate  I  to  eliminate  histories 

*We  conkl  deftae  tkeie  historic*  oat  of  existence  bjr  inclnding  the  initial  state  in  the 
formal  definition  of  a  program,  but  this  would  complicate  our  definitions  without  making 
it  any  easier  to  actually  prove  properties  of  programs. 
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Program  II2 
variables 

tnp  :  infinite  sequence  of  value; 
out  ;  sequence  of  value; 
buf  :  array  (0 ...  iV  -  1]  of  value; 
r,  y  :  value; 
fpjc  :  {0...2iV-  1}; 
cobegin 
Producer:  loop 

Dp:  (x,inp  :=  head(mp),  tail(inp) }; 

Ap:  (await  (Jp  -  fc)  mod2N  <N  ); 

Bpi  {  buf[^  mod  N]  ;=  x  ); 

{^>  :=.fr  +  lmod2J\r) 
end  loop 

0 

CoQstuner;  loop 

A^:  (await  (Ji>  -  fc)  mod  2^■  >  0 ); 

Be:  ( y  :=  bv/[/c  mod  JV] }; 

Cc:  ()fc:=/c+lmod27V); 

Dc.'  ( out  :=  out  oy) 
end  loop 

coend 

Figure  2:  Another  simple  producer/consumer  program. 
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in  which  I  becomes  false  [7],  If  the  original  program  satisfies  Init  □/, 
then  only  irrelevajit  histories  are  eliminated. 

For  an  action  a  and  a  predicate  I,  define  q|/  (read  a  constrained  by  I) 
to  be  the  action  {(s,t)  £  a  :  {s  \=  I)A{t  ^  /)}.  Thus,  a  f  iff  s  t  and 
I  holds  in  states  s  and  t.  For  a  program  11  we  define  Ilj/  to  be  the  program 
whose  states  are  the  states  of  11  that  satisfy  I,  and  whose  next-state  relation 
is  n|/.  If  5  is  an  operation  of  11,  then  5|/  is  the  operation  of  Hj/  such  that 
5|/  equals  5|/  and  ^(5|/)  equals  £(S)  with  its  domain  restricted  to  the 
states  of  n|/. 

The  next-state  relation  Hj/  is  enabled  only  in  states  satisfying  I,  and 
n|/  can  produce  only  states  satisfying  I.  The  histories  of  Hj/  consist  of  the 
histories  of  IT  in  which  all  states  satisfy  I.  This  implies  that  every  history 
of  n|/  is  a  history  of  IT. 

Suppose  that  Init  =>  □/  holds  for  a  program  IT.  Then,  I  is  true  for  all 
states  in  any  history  of  11  beginning  in  a  state  with  Init  true.  Therefore,  any 
history  of  11  beginning  with  Init  true  is  also  a  history  of  H)/.  If  11  satisfies 
Init  =>  □/,  then  IT  satisfies  Init  ^  OQ  iff  HI/  does.  The  property  Init  ^  □/ 
can  be  proved  by  ordinary  assertional  methods.  Usually,  /  is  an  invariant 

of  n. 

To  define  the  predicate  I  for  IIj,  we  first  define  a  function  on  the  set 
of  program  states: 


1  if  at{Bp)Vat{Cp) 
0  otherwise 


We  define  'ic  similarly,  replacing  p  by  c.  The  predicate  I  is  defined  to  equal 


SifP  -  Diofi  2JV  <  N  -  9p 

That  /  is  an  invariant  of  11  can  be  established  in  the  usual  way.  It  is  also 
easy  to  check  that  Init  implies  I.  Therefore,  to  prove  that  Init  =>  OQ  is 
satisfied  by  H],  we  need  to  show  only  that  it  is  satisfied  by  1121/. 

We  can  now  apply  our  Reduction  Theorem  to  1121/,  reducing  it  first  by 
Apl/;ff,l/;Cpli  and  then  by  Acl/;5c|/;Cc|/.  The  proof  is  almost  idenM 
to  that  for  Hi  given  above.  The  major  difference  is  in  the  proof  that  Ap|/ 
right  commutes  with  ^f/.  As  in  step  3.2  above,  we  must  show  that  if  it 
is  possible  to  execute  A^i  followed  by  Cd/  from  a  state  f,  then  it  is  also 
possible  to  execute  C^i  followed  by  Ap\i  from  t.  It  is  possible  to  execute 
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(5) 


Ap\i  followed  by  Cc\i  from  t  iff 

f  h  ^  ot(C’c)  A  iifp  -  fc)  mod  2N  <  N) 

and  it  is  possible  to  execute  Cc\i  followed  by  A^i  from  t  iff 

t  h A  at(Ap)  A  at(0  A  ((Ji)-(/c  +  l))  mod  2iV  <  N)  (6) 

Since  I  A  at{Ap)  A  at(Cc)  implies  that  I  <  fp  -  fc  mod  2N  <  iV,  it  follows 
that  (5)  implies  (6). 

5  Discussion 

We  have  given  a  reduction  theorem  for  proving  that  a  safety  property  of  the 
form  Init  =>  OQ  holds  for  a  program  II  if  it  holds  for  the  coarser-grained 
program  II/5.  In  general,  a  reduction  theorem  allows  one  to  conclude  that 
n  satisfies  a  property  P  if  R/S  satisfies  a  related  property  V.  It  is  proved 
by  showing  that  for  any  history  E  of  n,  there  is  a  corresponding  history 
S'  of  n/S  such  that  S  satisfies  P  if  S'  satisfies  P\  The  history  E'  is 
derived  from  E  by  commuting  actions  and  completing  or  eliminating  any 
unfinished  execution  of  5.  Hypotheses  about  commutativity  and  the  possible 
termination  of  L  make  it  possible  to  derive  S'.  Additional  hypotheses  may 
be  needed  to  guarantee  that  if  E'  satisfies  P'  then  E  satisfies  P.  In  our 
reduction  theorem,  these  are  hypotheses  1(b)  and  2(b). 

A  reduction  theorem  is  tailored  to  a  particular  class  of  properties.  We 
chose  the  hypotheses  of  our  reduction  theorem  to  be  as  weak  as  possible  for 
properties  of  the  form  Init  =>  UQ.  Lipton  considered  partial  correctness  and 
deadlock-freedom  properties,  and  Doeppner  considered  properties  closely 
related  to  partial  correctness.  We  do  not  know  of  a  similar  reduction  theorem 
for  Uveness  properties.  We  do  know  that  such  a  theorem  would  need  different 
hypotheses.  For  example,  the  hypotheses  of  Lipton’s  Theorem  are  satisfied  if 
S  equals  P(s«m);  V(sem),  in  which  case  (5)  leaves  sem  unchanged.  Suppose 
a  program  11  contains  a  process  that  repeatedly  executes  5.  Then  II/ 5 
might  satisfy  a  progress  property  that  is  not  satisfied  by  11  because  the 
repeated  decrementing  and  incrementing  of  sem  prevents  some  other  process 
from  making  progress.  Thus,  the  hypotheses  of  Lipton’s  Theorem  are  not 
sufficient  for  deriving  liveness  properties. 

Back  [3]  does  ^ve  a  reduction  theorem  for  total  correctness — the  con¬ 
junction  of  partial  correctness  (a  safety  property)  and  termination  (a  live¬ 
ness  property).  However,  his  hypotheses  involve  commutativity  relations 


between  actions  outside  5,  so  the  theorem  is  not  closely  related  to  either 
our  reduction  theorem  or  Lipton’s. 


Appendix:  Proof  of  the  Reduction  Theorem 

Our  proof  relies  on  the  following  properties  of  sequential  composition  and 
atomic  operations,  where  5  equals  T ;  U. 

SCI.  For  any  action  a,  if  v  in,  then  there  exists  a  state  x  such  that 

S 

V  X  w. 

T  V 

[When  executing  5;  first,  actions  in  T  or  not  in  5  are  executed  until  control 
exits  T;  then,  actions  in  U  or  not  in  S  are  executed  until  control  exits  5.) 

SC2.  f(S)  impUes  A 

[If  control  is  external  to  5,  then  it  is  externa!  to  its  components  7  and  U.] 

SC3.  -'£{T)  A  -<£{U)  is  identically  false. 

[Control  cannot  be  internal  to  both  T  and  U.] 

SC4.  -'£{!)  impUes  that  f)  is  not  enabled. 

[U  cannot  be  executed  when  control  is  internal  to  T.) 

SC5.  If  f/*  is  an  atomic  operation  and  v  w  then  w  f=  €[S). 

[When  control  exits  U,  control  is  external  to  5;  and  control  exits  an  atomic 
action  when  it  is  executed.] 

Lemma  2  (a)  Let  a  and  p  be  actions  sack  that  p  right  commutes  with 
a  —  p.  For  states  t  and  u,  if  t  =>  u  then  there  exists  a  state  v  such  that 

t  V  u. 

(b)  Let  a  and  A  he  actions  such  that  X  left  commutes  with  a  -  A.  For 
states  t  and  u,  ift  u  then  there  exists  a  state  v  such  that  t  =>  v  ==>  u. 

Proof  of  Lemma 

We  prove  part  (a);  the  proof  of  part  (b)  is  similar.  The  hypothesis  asserts 
that 

#  =  =  (7) 

for  some  states  <i,  with  0  <  n.  If  ui  x,  then  either  w  x  oi  w  ^  x. 
By  the  right-commntativity  hypothesis,  if  w  x  ^  p,  then  there  exists 
x'  such  that  w  ^  i'  y.  Thus,  by  repeatedly  replacing  x  ^  with 
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,  we  can  deduce  from  (7)  the  existence  of  k  and  of  states  t'  such 


x' 

that 


t  =  t'n 


ti 


This  implies  t  v  u,  where  v  = 

End  Proof  of  Lemma 


t' 


=  u 


Lemma  3  Assume  hypotheses  0-3  of  the  Reduction  Theorem  and  the  addi¬ 
tional  hypotheses  that,  for  states  t  and  u: 

4.  <t=^(5) 

5.  u  ^  S{S) 

6.  t  u 
Then  t  u. 


Proof  of  Lemma 

We  prove  by  induction  on  n  that,  for  any  states  t  and  u,  if  there  exist  states 
to,  . . . ,  t„  such  that 

t  =  foXti  X  ...  =  u  (8) 

then  t  u.  The  base  case  n  =  0  is  trivial,  since  then  t  =  u  and  the 
relation  is  reflexive. 

We  now  prove  the  induction  step,  assuming  n  >  0.  Assume  states  to, 

. . . ,  t„  satisfying  (8)  exist.  The  proof  that  t  u  is  split  into  two  cases, 
depending  upon  whether  or  not  t,  N  ^(‘^)  holds  for  some  0  <  t  <  n. 

1.  If  t,  £(S)  holds  for  some  0  <  i  <  n,  then  t  u. 

Proof:  Since  t  t,-  and  t,  u,  the  induction  hypothesis  implies 
t  ^  ti  and  t,  ^  u.  Thus,  t  ^  u  holds  by  transitivity  of 

2.  If  t,  ^  ~<^(S)  holds  for  all  0  <  »■  <  n,  then  t  ^  u. 

2.1.  Choose  a  state  v  such  that  t  ==^  v  u. 

R;(A)  L 

Proof:  State  v  exists  by  SCI,  since  t  u  by  hypothesis  6,  so 

g 

t  u  by  the  antecedent  of  2. 

5 
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2.2.  Choose  a  state  w  such  that  t  w  **=£]»”  v  u. 

«  (-4)  i 

Proof:  State  u;  exists  by  2.1  and  SCI. 

2.3.  It’ - >  V  or  w - ►  V  ot  w  —  V. 

2.3.1.  u;  \=  f((^)) 

Proof:  By  hypothesis  4  and  SC2,  t  |=  £{{A));  proof  step  2.2 

implies  t  w;  and  H  leaves  f ({/!))  invariant  by  definition  of 
atomicity. 

2.3.2.  Choose  states  inoi  •••*  for  0  ^  rn,  such  that  w  = 

(n«— z.)*H  (II— •  I 

Wq  - -  ^  and  Wj  |=  -i^((i4)) 

for  0  <  j  <  m. 

Proof  :  By  2.2. 

2.3.3.  Wj  1=  £{{A))  for  0  <  j  <  m. 

Proof:  By  2.3.1  and  the  definition  of  atomicity. 

2.3.4.  m  <  1 

Proof:  By  2.3.2  (tu^  ^  ->£{{A))  for  0  <  j  <  m)  and  2.3.3. 

2.3.5.  w  u  or  to  -2^  «  or  u>  =  v 

Proof:  By  2.3.2 and  2.3.4,  since  (fi - 2) -  .ff  =  (ft -  5) U (A). 

A  A 

2.4.  If  w  V  then  there  exist  states  x  and  y  such  that  t  z 


Proof:  Step  2.2  and  the  antecedent  imply  i  w  v 

u.  The  existence  of  x  follows  from  hypothesis  1(a)  and  part  (a)  of 
Lemma  2,  and  the  existence  of  y  follows  from  hypothesis  2(a)  and 
part  (b)  of  Lemma  2,  since  ((ft  -  2)  -  (A))  -  S.  and  (ft  -  R;  (A))  -  2 
both  equal  ft  -  S. 


2.5.  If  w  V  OT  w  =  V  then  there  exist  states  z  and  y  such  that 


Proof:  Step  2,2  and  the  antecedent  imply  t  xv 

V  _ This  implies  t  y  u,  since  ft  -  5  C 

(ft  -  2)  -  (A).  The  existence  of  z  follows  from  hypothesis  1(a)  and 
part  (a)  of  Lemma  2,  and  the  existence  of  y  follows  from  hypothe¬ 
sis  2(a)  and  part  (b)  of  Lemma  2,  since  ((ft  -  2)  -  (A))  -  R  and 
(ft  -  R\  (A))  -  2  both  equal  ft  -  5. 
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2.6.  Choose  x  and  y  such  that  t  x  w  v  =>  y  u  or 

t  X  V  ^  -  y  y 

Proof:  By  2.3,  2.4,  and  2.5. 

2.7.  t  I  and  y  u. 

Proo/:  By  2.6,  since  (fi  -  S)  C  njs. 

2.8.  X  y 

2.8.1.  X  t=  ^(5) 

Proof:  By  hypothesis  4  and  2.6,  since  every  action  of  H  -  5 
leaves  £(S)  invariant. 

2.8.2.  y  1=  £{S) 

Proof:  By  h5rpothesis  5  and  2.6,  since  every  action  of  H  -  5 
leaves  -<£(5)  invariant. 

2.8.3.  xMy 

Proof:  By  2.6  (which  implies  x  y),  2.8.1,  and  2.8.2,  and 
the  definition  of  (5). 

2.9.  t^u  _  _ 

Proof:  By  2.6,  2.7,  and  2.8,  since  (S)  C  U/S. 

3.  t  u 

Proof:  By  1  and  2. 

End  Proof  of  Lemma 

Lemma  4  Assume  hypotheses  0-3  of  the  Reduction  Theorem,  and  the  ad¬ 
ditional  hypotheses  that,  for  states  t  and  u: 

4.  n/S  satisfies  Init  =»  OQ 

5.  <  1=  Init 

6.  f  ^  u 

7.  ti  ^  e{S) 

Then  a^Q. 

Proof  of  Lemma 

1. 1 1=  eis) 

Proof:  t  ^  Init  by  hypothesis  5,  and  Init  =»  S(S)  by  hypothesis  0  of 
the  Redaction  Theorem. 
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2. 

Proof  :  By  hypotheses  6  and  7,  and  Lemma  3. 

3.  ti  (=  Q 

Proof:  By  1,2,  and  hypothesis  4. 

End  Proof  of  Lemma 

Proof  of  Theorem 

The  “only  if”  part  follows  from  Lemma  1.  To  prove  the  “if”  part,  it  suffices 
to  assume,  for  states  t  and  u: 

4.  II/5  satisfies  Init  => 

5.  t  Init 

6.  i  =>  u 

and  show  that  u  ^ 

The  proof  considers  separately  the  cases  u  |=  f(5)  and  u  |=  ~i£{S).  The 
second  case  is  further  split  into  the  cases  u  f=  £{R',  (A))  and  u  |=  ~>£{R\  (A)), 
yielding  a  total  of  three  separate  cases. 

1.  If  n  )=  £{S)  then  «  1=  Q. 

Proof  :  By  Lemma  4. 

2.  If  u  1=  {£{R-,  (A))  A  -1^(5))  then  n 

Proof:  The  proof  is  by  contradiction.  We  assume  that  u  |=  -nQ. 

2.1.  Choose  a  state  v  such  that  «  v  and  t;  ^  £{S). 

Proof:  State  v  exists  by  the  assumption  that  u  1=  -iQ,  the  an¬ 

tecedent  of  2,  and  hypothesis  3. 

2.2.  t^v 

Proof:  By  2.1  and  assumption  6,  which  asserts  that  t  u. 

2.3.  vj=Q 

Proof:  By  2.2  and  Lemma  4,  since  v  )=  £{S)  by  2.1.  (Substitute  v 
for  u  in  the  lemma.) 

2.4.  u  )=  {-<Q  A  -1^(5)) 

Proof:  By  the  assumption  that  u  f=  -<Q  and  the  antecedent  of  2. 

2.5.  V  I*  {->Q  V  -i5(S)) 

Proof  :  By  2.1,  2.4,  and  hypothesis  2(b),  substituting  u  for  t  and  v 
for  tt. 

2.6.  Contradiction. 

Proof:  2.3,  2.5,  and  2.1  («  |=  f(S)). 
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3.  If  u  1=  {^£{R;  (A))  A  -^£(5))  then  u\=Q. 

3.1.  t  t=  £{S) 

Proof:  By  hypotheses  5  and  0. 

3.2.  Choose  state  v  such  that  t  v  =>  u  and  t;  |=  £(S). 

Proof:  Hypothesis  6  asserts  the  existence  of  states  ti  such  that 

t  =  to  h  =  «•  Let  V  be  the  last  t,  such  that 

t,  £(S).  By  3.1,  ti  exists. 

3.3.  Choose  state  w  such  that  v  w  u. 

R;(A>  t 

Proof:  By  SCI,  since  3.2  asserts  that  v  u,  and  S  equals 

(Jl;(S));l. 

3.4.  If  u;  ^  u  then  w  5^  ti  and  w  ~<£{R\  {A}). 

3.4.1.  Choose  states  wq,  Wn  such  that  w  ^  wq 

wi . .  .tn„_i  w„  =  u  and  Wj  |=  -^£(L)  for  0  <  j  <  n. 

Proof:  The  states  tt?^  exist  by  3.3,  which  asserts  that  w 
u. 

3.4.2.  u  ^£iR',  {A)) 

Proof:  Antecedent  of  3. 

3.4.3.  Wj  f=  •^£{R-,  {A))  for  0  <  j  <  n 

Proof:  For  j  =s  n,  this  follows  from  3.4.2  (since  u;„  =  «).  For 
j  <  n,  it  follows  by  induction  since  fl  -  .ff;  {A)  leaves  £{R;  (A)) 
invariant. 

3.4.4.  0  <  n  <  1 

Proof:  By  3.4.1  {wj  ^  for  0  <  j  <  n).  By  3.4.3, 

Wj  ^  false  for  0  <  j  <  n,  since  ~>£{L)  A-i£{R;  (A))  =  false  by 
SC3._ 

-  .  _  n-jti(A) 

3.4.5.  w  — -*  u 

Proof:  By  3.4.1  and  3.4.4,  since  w  ^  u  (the  antecedent  of 
3.4)  implies  n  j/i  0. 

3.4.6.  w  u 

Proof:  By  3.4.3,  w  )s  -<£(R;  (A)).  By  SC4,  this  implies  Z 
is  not  enabled  in  state  w.  Since  S  =  R;  (A)  U  Z,  3.4.5  then 
implies  w  5^  «. 

3.4.7.  Proof  statement  3.4  holds. 

Proof:  By  3.4.3  and  3,4.6,  since  w  =  Wo- 
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1  '  n-t 
3.0.  V  - — >  u 


Proof:  By  3.3,  which  asserts  v  ==>  w,  and  3.4,  since  fi  -  S  C  fi  - 1 

3.6.  Choose  state  x  such  that  v  ^ 

R  (A) 

Proof:  From  3.5  by  SCI. 

3.7.  If  X  ^  u  then  z  -5^  u. 

3.7.1.  t  ^  X 

Proof:  By  3.2  and  3.6. 

3.7.2  X  ^((^)) 

Proof:  3.1  and  SC2  imply  t  ^  5((/4)),  and  3.7.1  and  the 
definition  of  atomicity  then  imply  x  |=  S{{A)). 

_  _  _  (ff-ij-R 

3.7.3.  X  — -*  u 

Proof:  By  3.6,  there  exist  states  zq,  ...,  Xp  such  that  z  = 

(fi-t)-*  in-t)-R  j  I  e/I  i 

xq  - ►  x\  ...Zp_i  - ►  Xp  =  u  and  Xj  ^  ->S((A))  for 

0  <  j  <  p.  By  3.7.2  and  the  definition  of  atomicity,  xj  1= 

£({A))  for  0  <  j  <  p.  Hence,  p  <  1,  and  since  z  ^  u  (by  the 

antecedent  of  3.7),  p  =  1. 

3.7.4.  X  u 

Proof:  Since  «  (=  -y€{R;{A))  (by  the  antecedent  of  3),  SC5 
implies  that  if  z  -2-»  «,  then  a  %  {A).  Hence,  3.7.3  implies 
z  «,  since  ((fi  -  Z)-  M)-  (A)  equals  6-5. 

_  _  (n-5)uS 

3.8.  V  =±>  u  _ _ 

Proof:  3.6  and  3.7  imply  t;  (8  -  5)  U  H  =  (8  -  2 )  - 

{A). 

3.9.  Choose  state  y  such  that  v  y  =>  u. 

Proof:  By  3.8  and  Lemma  2. 

3.10.  y  )=  £{S) 

Proof:  From  3.9,  since  v  |=  5(5)  by  3.2,  and  8-5  leaves  5(5) 
invariant. 

3.11. 

Proof:  Since  t  v  by  3.2  and  t?  ^  y  by  3.9,  we  have  t  ^  y. 
Also,  y  \=  5(5)  by  3.10.  Hence,  Lemma  4,  substituting  y  for  u, 
implies  y^Q. 

3.12.  u^Q 
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End  Proof  of  Theorem 
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